OpenSSL - Add Subject Alternate Name (SAN) when signing with CA
Personally I add the alt names at CSR generation, so I know that works (there's a little byplay in default conf files both for generation and signing).
For changing afterwards, as far as I remember the Alt Names are extensions, and it seems you can override or add the extensions you want while doing the signing. I will shamelessly copy:
From: Patrick Patterson @carillonis.com
Newsgroups: mailing.openssl.users
Subject: Re: Sign CSR after modifying data in CSR possible?
Date: Tue, 5 Jan 2010 15:14:05 -0500
Message-ID: <mailpost.1262722567.7762451.82829.mailing.openssl.users@FreeBSD.cs.nctu.edu.tw>
when you are using the openssl CA (strangely enough: openssl ca) command, you can give it numerous options, including which Subject value to use (the -subj argument), and which extensions to use (via the -extfile and -extensions arguments).
so you can set both which extensions you want and which Subject you want (causing both values in the CSR to be completely ignored) by a command like:
openssl ca -config /etc/myca/openssl.cnf \
-extfile /etc/myca/openssl-exts.cnf \
-extension sig-medium \
-subj "/C=CA/O=Example Company/OU=Engineering/CN=John Doe" \
-in req.csr \
-out john-doe.pem
Where:
/etc/myca/openssl-exts.cnf contains:
[ sig-medium ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = emailProtection, anyExtendedKeyUsage
nsComment = "Do Not trust - PURE TEST purposes only"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = @testsan
authorityInfoAccess = @aia_points
crlDistributionPoints = @crl_dist_points
[ testsan ]
email = [email protected]
DNS = www.example.com
dirName = test_dir
URI = http://www.example.com/
IP = 172.16.0.1
otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:[email protected]
otherName.1 = 1.3.6.1.5.5.7.8.7;IA5STRING:_mail.example.com
otherName.2 = 1.3.6.1.5.5.7.8.5;UTF8:[email protected]
[aia_points]
caIssuers;URI.0=http://www.example.com/caops/Signing-CA.p7c
caIssuers;URI.1=ldap://dir.example.com/<DN of Signing
CA>?cACertificate;binary?base?objectclass=pkiCA
[crl_dist_points]
URI.0=http://www.example.com/caops/test-signca1-crl.crl
URI.1=ldap://dir.example.com/<DN of Signing
CA>?certificateRevocationList;binary?base?objectclass=pkiCA
Related videos on Youtube
05 : 03
09 : 55
15 : 24
06 : 33
02 : 19
Comments
-
mechgt over 1 year
How can I add a Subject Alternate Name when signing a certificate request using OpenSSL (in Windows if that matters)?
I've generated a basic certificate signing request (CSR) from the IIS interface. Now, I'd like to add several subject alternate names, sign it with an existing root certificate, and return the certificate to complete the signing request.
Every tutorial I could find involves generating a new private key and a brand new CSR, however I was under the impression that the private key resides on the requesting computer (which I wouldn't necessarily have access to). I just want to sign the request while adding the alternate names. I'm relatively new to OpenSSL and CA topics so this may be a misunderstanding on my part.
-
Admin almost 8 yearsThe alternate names go in the CSR, then you sign the CSR. You don't 'add' more when signing. -
mechgt almost 8 yearsYou may not modify the base components of the request, but you may add extensions to the request and the alternate names (SAN) are one of those extensions available.
-
-
mechgt almost 8 yearsGreat, using your examples above I was able to add the additional extensions (including Subject Alternate Name). I believe I had a misunderstanding in how the .cnf files were being utilized. Thanks!!
-
Law29 almost 8 yearsNice, happy to have helped. I may actually have a use myself for what I learned while researching your question!
